If you're running a DokuWiki, you probably already noticed that we had two security alerts in the last few days.
If not, check out the bugreports 1847 and 1853 immediately. 1847 is especially ugly and exploit code has been seen in the wild.
What happened? Well, basically I messed up. All bugs are in the new ACL Manager introduced in 2008-05-05. I will not go into details1). In short, a combination of missing to sanitize a path and a spelling error was cause for the graver error. Evaluating the affected code then led to finding another problem caused by a missing security measurement against CSRF attacks.
I apologize, these were clearly my mistakes.
Now, can this happen again? Unfortunately, yes. These were not errors made because I didn't knew better. On the contrary - I introduced Anti-CSRF functions in DokuWiki a while ago and I'm fully aware about the “don't trust user input”-mantra. It was simply human failure and nobody noticed it for more than a year.
In theory OpenSource software is more secure, because everybody can look at the code and quickly identify security flaws. And in fact that is probably how these flaws were detected. Unfortunately the number of eyeballs looking at the source code is still very low.
And this is probably even more true for my code. I do have a look at all code that is submitted to the DokuWiki project and thus will also look for possible security bugs. Unfortunately this is not true the other way round. There is no guarantee that someone reads what I checked into the revision control system. Even though we have a daily changelog mail to mailing list.
If you are a developer, please understand that even though I'm the project lead, I do make errors. I beg you to distrust my code. Have a look at everything I check in and tell me when I mess up.
DokuWiki is still very good code and generally secure. But if security flaws are found, we fix them. Usually in less than 24 hours. That's all we can do.
If you run DokuWiki be sure to keep the update check enabled and upgrade as soon as a fix is available.
PS: If this blog post works, more people will audit the DokuWiki source code. So don't be surprised if more security alerts pop up. I know it's annoying but it makes the software more secure eventually.